Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
60
Global rank
129 infographic chevron month
Month rank
109 infographic chevron week
Week rank
0
IOCs

Troldesh is ransomware — a malware that demands a payment in order to unlock encrypted files. It is also can search and steal information from the banking programs if such are found on the infected machine.

Ransomware
Type
Unknown
Origin
1 January, 2014
First seen
25 September, 2025
Last seen
Also known as
Encoder.858

How to analyze Troldesh with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
25 September, 2025
Last seen

IOCs

IP addresses
74.220.207.61
62.212.69.227
136.243.4.139
Hashes
f891e7b0cc019247dee60dcec4eb5cec95fe46b4c10fe574f35ff9458e1ac05e
3e98eb61e6b238064ffcecbcb974076da7839d22ee78187b764a7cbda561e8e3
35e627482a89782328378f62e03413e104d631e78837234075f13e1ed8e640f6
5dc0d62f413d50f3cf877622723f1d02b89e911a0efcb1685c3ee1a3260c3966
c02153dce99eb8730806cfe19a3f29e3d4e3fad796f4eb15962b74fb2e55fe47
5258706368517c1b50538e763345f0a6aa2a4dad4a3e7b6ead337150d11c08ed
7ac4d1342e06c486d6184a1be8035c4b4f6e9df892d9ee60a1f6731d8d660975
4dcfc60055d97b79c283f88cf219e06a76a05ca768321d25f502b907d2a7eeff
454bb3121291f7e541b052863e101351e9ce0ccdcfdc9a24561cf08057d5149b
cf065f4290fe2391fa2bd6d30a12f5dc2cc3a298de58ae5bc8d0fd4856cd4580
ca7ed026897d14cee57d3960a0e9ab61b589dd0db27b5c15c83288672797b681
372b62ef86e32bcc36904e3dc79fbea27f31bf43823706e28cbc95554ba39ce2
e15e823894414c4dfe1e4c2cd33c22891bf805e0b17705ddc502ae3245e11b10
9a9ce3c066230bf088b6ede2e1be1544a5fefeef27889702248fc91ba9008970
a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375
78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199
d617c31cbfef2749e5534876cbb3a6a6f8c1883ae0c8cfa10f807601756d4aa2
c91b0dfda48acf3479114ae882b39dfd784568ab0287972078df840f1c4caf25
630e2a35256a3a9d09eba3ad1722d14a10f7970a121fa89d58bfde717662bb03
20fcb1ec5c1ce6577f193fd2d55ec157b106006a9f27547f76630fb86981e13b
Domains
cryptsen7fo43rr6.onion.to
kelurahanmojosurakarta.com
cryptsen7fo43rr6.onion
hunterdekaron.net
2vvby3tu.com
b2afikprcfzqdbcv.onion
3gyd.com
cryptorzimsbfbkx.onion
cryptorzimsbfbkx.onion.to
w2qrrab6rk5det.com
cart.tamarabranch.com
s2oxwaedphciavio.onion
a4ad4ip2xzclh6fd.onion
gxyvmhc55s4fss2q.onion
gxyvmhc55s4fss2q.onion.to
uzbqlyhj25pp77w.com
atmacareklame.ch
fourthbookdeliver.xyz
cryptsen7fo43rr6.onion.cab
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Troldesh ransomware?

Troldesh, also known as Encoder.858, is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim's machine and demands a ransom for the data to be restored.

Attempting to get as much information as possible, the malware also scans the target PC for banking files or banking programs to squeeze every last penny.

General description of Troldesh

Attacking Windows users mainly in Russia, Ukraine, and Germany, Troldesh is one of Russia's most commonly used encryption software.

In addition to this behavior, Troldesh ransomware often comes in conjunction with two particular malware samples, namely Mexar, and Teamspy, which allows attackers to control the victim's PC remotely and gives the virus the ability to install other malware, including trojans on the infecting PC.

In fact, unlike most other ransomware Nemty or others, this virus does not stop executing after encrypting the victim's files. Instead, it starts an infinite loop where it requests URLs of other malicious programs from the command server, downloading and installing them on a contaminated machine. This strategy means that most victims contaminated with Troldesh may end up with a whole host of infections on their PC. And even with removal tools and decryptors, it can be challenging to get rid of this issue.

Even though the malware itself has not evolved a lot throughout its lifespan, attackers' method to demand the ransom has changed. The first malware samples were used to provide an email address at which the victim could contact the hackers and negotiate the payment. In newer campaigns, ransom node demands victims to use the Tor browser to navigate to a payment page that is located on the Dark Web.

Trodlesh, as part of the Shade family, shares several familiarities with related malware: they are written in C++, utilize CTL, use a static link with a Tor client. Every particular malware sample also has a hardcoded URL of the command server. Malicious programs of this family are also known to exhibit similar or identical behavior. As such, they create ten identical ransom notes in two languages – Russian and English and name them README1.txt or README10.txt.

Troldesh malware analysis

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Troldesh malware in a lot of detail.

process graph of a troldesh ransomware execution Figure 1: Process graph generated by ANY.RUN helps us visualize the life cycle of the virus

Troldesh execution process

Troldesh ransomware is spread in the form of a script file, either Javascript or JScript. Usually, these files are packed in an archive file that is sometimes protected with a password. In the simulation performed on ANY.RUN, after a script file was unpacked and launched, it installed an executable file from the internet. It should be noted that in the case of Troldesh, executable files typically have "not suspicious" extensions along with the likes of .jpg. After being downloaded, the files are renamed and executed.

As shown in the ANY.RUN simulation, after running, the file immediately began performing the malicious activity, namely: encrypting files, stealing personal data, deleting shadow copies, and changing autorun values in the registry. Files encrypted by the latest versions of Troldesh are known to have a .crypted000007 extension which was also the case in our simulation. Lastly, after encryption was completed, the malicious executable file dropped ransomware instructions on the desktop.

process tree of a troldesh ransomware execution Figure 2: Process tree of a Troldesh ransomware execution

How to avoid infection by Troldesh?

Since Troldesh is commonly distributed using malspam campaigns that mimic real company newsletters, a good way of staying safe is thoroughly checking for the authenticity of emails before downloading any attachments. If necessary, one can get in touch with a company that is the presumable author of the newsletter and verify that they have sent the email.

Once infected, Troldesh installs several secondary malware samples on the victim's PC, thus after Troldesh removal – malware deletes itself from the PC, it is vital to conduct a global system scan and make sure that one's machine is not swarming with other viruses as well.

Distribution of Troldesh

Troldesh ransomware is known to utilize two main attack vectors – email spam and exploit kits. Malspam campaigns usually mimic legitimate information newsletters from actual Russian companies, including banks and large supermarket chains. The emails themselves contain an archive file in which another script file is included.

Upon unpacking the archive and clicking on the file, a malicious loader is installed. It in turn downloads and installs the main payload – Troldesh itself. The loader is known to be stored on legitimate but compromised WordPress websites where it is hidden as an image file.

Troldesh is also known to utilize Axpergle and Nuclear exploit kits, and these attacks are, arguably, more dangerous than email spam as they don't require active actions from the user for the contamination process to begin. Instead, upon visiting a compromised URL, which can be a website hosted by the attackers or a legitimate website that has been hacked, the malware utilizes a vulnerability either in the browser itself or in one of the browser plugins, successfully penetrating into the users PC and starting the execution automatically. Thus, victims can get infected without ever realizing the danger, so get a removal program and a decryptor.

Communication with C&C

Address information of C&C servers is embedded in the body of each malware sample. Servers themselves are hosted on the dark web and communication is established with the use of a Tor client.

Once installed on a victim's PC, the malware requests a public key value from the server to encrypt the victim's files. Should the connection attempt fail, the virus uses one of one hundred private key values stored in its memory.

How to detect Troldesh using ANY.RUN?

Since Troldesh ransomware writes into the registry analysts can detect it by looking at registry keys. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a value "906D0F2E2F604F839E04" with the name "xi" into the key HKLM\SOFTWARE\System32\Configuration it's Troldesh.

Registry changes created by Troldesh Figure 3: Registry changes created by Troldesh

Conclusion

Troldesh is an extremely dangerous ransomware that is able to contaminate victims who simply end up browsing to the wrong place at the wrong time, ending up on a website hacked by the attackers. Unlike much other ransomware that simply demands money in exchange for user's encrypted data, Troldesh doesn't stop there and goes the extra mile to spread other dangerous malware samples on a victim's PC.

Utilizing analysis services like ANY.RUN is a great way to examine the virus from a safe environment and develop a sufficient defense strategy.

P.S.

On the 27th of April, 2020 authors behind Troldesh ransomware announced that they stopped distribution of the ransomware and publish the decryption keys with a decryptor and instructions. They said that apologize to all the victims of the trojan and hope that the keys they published will help them to recover their data. The same scenario had a couple of other ransomware writers, even the infamous Maze.

You can take a look at the task in which their keys and tool were used to decrypt data.

HAVE A LOOK AT

Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
LockBit screenshot
LockBit
lockbit
LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More